Domain has exceeded the max emails per hour

Maning

• May 24, 2018 02:48

Hello, I am experiencing problem with a specific email address. It sends mass spam mails, CSF notify me: [SPOILER="Localhost relay info">Time: Tue May 22 07:32:25 2018 +0300 Type: LOCALHOSTRELAY, IPv6 localhost - ::1 Count: 355 emails relayed Blocked: No Sample of the first 10 emails: - Removed -
On mail delivery reports I saw differences between mail send from spam and mail send from user: User mail: Authentication: dovecot_login Delivery User: -remote- Router: dkim_lookuphost Transport: dkim_remote_smtp
Spam mail: Authentication: dovecot_login Delivery User: -system- Router: enforce_mail_permissions Transport: fail (because domain has exceeded the max emails per hour)
I am wondering: If this is a normal login (spammer have the email password) or is something else going wrong? Why delivery user on spam mails is system? Why router on spam mail is enforce_mail_permissions? (Because domain exceeded the max emails per hours?

• 

  cPanelLauren

  • May 24, 2018 17:31

  Hi @Maning With this amount of information I would lean towards a php script sending the mail but with some more information we can find out for sure. Please run the following via SSH and reply with the output: grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
grep -oP "(?<=A=dovecot_(login|plain):)\S+|(?<= U=)\S+" /var/log/exim_mainlog | sort | uniq -c|awk '{print $2,$1}'|sort -k2n|column -t
  Thanks!

  0
• 

  Maning

  • May 29, 2018 07:10

  grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
1 /home/user1/public_html/mail 1 /home/user2/public_html 1 /home/user3/public_html/test 1 /home/user4/public_html/site 1 /home/user5/public_html 1 /home/user6/public_html/en 1 /home/user7/public_html 1 /home/user8/public_html 2 /home/user9/public_html 2 /home/user10/public_html/wp-admin 7 /home/user11 15 /root 25 /home/user12/public_html 184 /home/user13/public_html 311 /home/user14/public_html 2138 /etc/csf 2265 /
grep -oP "(?<=A=dovecot_(login|plain):)\S+|(?<= U=)\S+" /var/log/exim_mainlog | sort | uniq -c|awk '{print $2,$1}'|sort -k2n|column -t
info@domain15.com 60 elen@domain10.com 77 user13 186 root 359 user16 397 user17 622 mailnull 965 user15 95251
  user15 owns domain15

  0
• 

  cPanelLauren

  • May 29, 2018 14:38

  Hi @Maning And to confirm the first command I had you run, user15 didn't show up at all?

  0
• 

  Maning

  • May 29, 2018 16:28

  That's right user15 didn't show up at all in first command

  0
• 

  cPanelLauren

  • May 29, 2018 16:53

  That wasn't quite what I was expecting! I was hoping to see an account or if it's the user a path where the mail originated from. The following is something we use internally to identify the origin of spam really quickly -in this case, we know the user15 account is to blame but not specifically who or what perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
  Let me know what it reports for "Emails by user" and "Directories mail is originating from" please

  0
• 

  Maning

  • May 29, 2018 21:00

  Nothing unusual to the report But the command check 5 days ago? (exim_mainlog was already renamed from that date) [QUOTE] Emails by user: 97 : mailnull 54 : user8 30 : root 30 : user7 10 : user6 3 : user5 2 : user4 1 : user3 1 : user2 1 : user1 54 : /home/user8/public_html 30 : /home/user7/public_html 10 : /home/user6/public_html 3 : /root 2 : /home/user4/public_html 1 : /home/user3/public_html/wp-admin 1 : /home/user2/public_html/contactform 1 : /home/user1/public_html/wp-admin
  

  0
• 

  cPanelLauren

  • May 30, 2018 13:00

  Hi @Maning Yea, none of these will be really effective if the user15 account is not still sending spam, in fact it would be almost impossible to determine this without the issue occurring or access to the logs. Can you go ahead and open a ticket so we can take a closer look if the issue is persisting. Thanks!

  0
• 

  Maning

  • May 30, 2018 22:16

  According to the ticket: I was able to find a number of spamd log entries for localhost connections that were considered spam. Some of them were from user15 who owns domain15: [00:20:09 hostname root@9656309 /var/log]cPs# grep user15 /root/May24spamassassin May 24 08:56:05 hostname spamd[10280]: spamd: setuid to user15 succeeded May 24 08:56:05 hostname spamd[10280]: spamd: checking message <3d1181987f3b43986d6bedf46ae2ef2f@pomagri.com.br> for user15:1011 May 24 08:56:07 hostname spamd[10280]: spamd: identified spam (6.0/5.0) for user15:1011 in 2.3 seconds, 43303 bytes. May 24 08:56:07 hostname spamd[10280]: spamd: result: Y 6 - DKIM_SIGNED,DKIM_VALID,HTML_MESSAGE,RDNS_NONE,SPF_FAIL scantime=2.3,size=43303,user=user15,uid=1011,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=46106,mid=<3d1181987f3b43986d6bedf46ae2ef2f@pomagri.com.br>,autolearn=no autolearn_force=no,shortcircuit=no May 24 22:13:10 hostname spamd[29702]: spamd: setuid to user15 succeeded May 24 22:13:10 hostname spamd[29702]: spamd: checking message for user15:1011 May 24 22:13:12 hostname spamd[29702]: spamd: identified spam (15.6/5.0) for user15:1011 in 1.5 seconds, 174004 bytes. May 24 22:13:12 hostname spamd[29702]: spamd: result: Y 15 - HTML_IMAGE_ONLY_16,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHORT_LINK_IMG_2,KAM_VERY_BLACK_DBL,MAILING_LIST_MULTI,SPF_PASS,URIBL_BLACK,URIBL_DBL_SPAM scantime=1.5,size=174004,user=user15,uid=1011,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=57486,mid=,autolearn=spam autolearn_force=no,shortcircuit=no =-=
  This happen to some other users as well, but nothing at the current maillog. So I was confused were the problem is located?

  0
• 

  cPanelLauren

  • May 31, 2018 12:38

  Hi @Maning Can you please reply with the ticket ID? I'd like to take a look at what was investigated in the ticket as well as the notes. Thanks!

  0

Please sign in to leave a comment.